ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stremio CLI

Stremio automation via browser + Torrentio on Mac Mini. Searches for shows/movies, selects highest-seeded streams, and plays them. Use when user wants to wat...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 60 · 0 current installs · 0 all-time installs
byBEARLY_HODLING@bearly-hodling
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to rely on the built-in browser tool and needs no credentials, but the bundle includes a Python script that embeds a hardcoded streamingServer URL (a stremio.rocks host with an IP-like subdomain) and assumes 'catt' is installed. That script's behavior (intercepting stream URLs and casting them) is related to the stated purpose, but the presence of a hardcoded third-party streaming server and a legacy script that the SKILL.md says is 'not used' is an incoherence that needs justification.
!
Instruction Scope
SKILL.md instructs the agent to use the browser tool only and does not direct the agent to read system secrets; however it explicitly states 'Credentials for Stremio account are in Keychain' (with a specific email), which implies use of system credential storage. The included script would capture stream URLs from web requests and hand them to a local casting tool — behavior not described in the SKILL.md. The mismatch between the instructions and the included script expands the effective scope and is potentially risky.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but a code file is present. Since no install runs automatically, nothing will be written during install; however the included script assumes Playwright and 'catt' exist in the runtime environment. The absence of an install spec plus included runnable code is an odd combination that should be clarified.
!
Credentials
The skill declares no required environment variables, but SKILL.md calls out Stremio credentials stored in macOS Keychain (and even includes a specific email). Requiring access to system Keychain data is sensitive. The package does not declare or explain how credentials are retrieved; the included script doesn't access Keychain but would operate under the environment's existing session. This gap between claimed credential location and declared requirements is disproportionate and unclear.
Persistence & Privilege
The skill does not request always:true and does not declare changes to other skills or persistent system-wide configuration. Autonomous invocation is allowed by default, which is normal. There is no install-time persistence requested by the manifest.
What to consider before installing
Do not install or run this skill until the author answers these questions: (1) Why is there a hardcoded streamingServer URL (the stremio.rocks host with an IP-like subdomain) in scripts/stremio_cast.py? Who controls that host and why would your streams be proxied through it? (2) The SKILL.md says the Python script is 'legacy' and 'not used' — please remove the file or state explicitly whether the agent may execute it. (3) Explain how Stremio credentials in Keychain are used; confirm the skill will not programmatically read or transmit Keychain entries without explicit user consent. (4) Confirm whether the skill will execute local binaries (e.g., 'catt') and whether those binaries are required/trusted. If you must test, run in an isolated environment (no sensitive Keychain entries, limited network access) and audit network traffic to ensure streams aren't routed through unknown third-party servers. If these questions are answered satisfactorily (remove or sanitize the hardcoded host, explicit Keychain behavior, and a clear statement that the legacy script will not run), the incoherences would be resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk97dkeqd9wn7wde3ftwxad8vz9838cfm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Stremio CLI

Automates Stremio web with Torrentio addon using browser control on the Mac Mini.

Workflow: Open Stremio web → search title → find episode/season → select highest-seeded Torrentio stream → play.

Perfect for quick streaming sessions. Stremio account credentials are saved in macOS Keychain (bhal.punia@icloud.com).

When to use

Use this skill for any request like:

  • "watch stargate"
  • "play stremio"
  • "stremio sg1"
  • "put on stargate on stremio"

Always ask for specific season + episode if not given (default pattern is S4E15+ for Stargate SG-1).

Prerequisites

  • Browser tool (Playwright) available in OpenClaw
  • Stremio account logged in via Keychain on Mac Mini

How to use

Trigger with natural requests like "stremio stargate" or "watch latest episode".

The skill uses the browser tool to:

  1. Navigate to Stremio web (with Torrentio addon active)
  2. Search for the show
  3. Select the correct season/episode
  4. Pick the highest-seeded Torrentio stream
  5. Play it

Current default: Stargate SG-1 (ask for exact S##E## if needed).

The script in scripts/stremio_cast.py is Portuguese/legacy and not used — we rely on the built-in browser tool instead.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…